Magic-Mirror/radare2
1
0
Fork 0
mirror of https://github.com/radareorg/radare2.git synced 2024-11-24 05:40:10 +00:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

Fix UAF in RStr.replaceIcase() spotted by coverity ##util

Browse Source
This commit is contained in:
pancake 2023-03-31 13:28:50 +02:00 committed by pancake
parent a8143d8fb2
commit b7767dcc80
1 changed files with 8 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
libr/util/str.c
View File

@ -1013,26 +1013,24 @@ R_API R_MUSTUSE char* r_str_replace(char *str, const char *key, const char *val,
R_API R_MUSTUSE char *r_str_replace_icase(char *str, const char *key, const char *val, int g, int keep_case) {
r_return_val_if_fail (str && key && val, NULL);
int off, i, klen, vlen, slen;
char *newstr, *p = str;
klen = strlen (key);
vlen = strlen (val);
slen = strlen (str);
size_t off, i;
size_t klen = strlen (key);
size_t vlen = strlen (val);
size_t slen = strlen (str);
for (i = 0; i < slen;) {
p = (char *)r_str_casestr (str + i, key);
if (!p) {
break;
}
off = (int)(size_t) (p - str);
off = (size_t) (p - str);
if (vlen != klen) {
int tlen = slen - (off + klen);
slen += vlen - klen;
if (vlen > klen) {
newstr = realloc (str, slen + 1);
if (!newstr) {
goto alloc_fail;
return NULL;
}
str = newstr;
}
@ -1046,12 +1044,12 @@ R_API R_MUSTUSE char *r_str_replace_icase(char *str, const char *key, const char
if (!tmp_val || !str_case) {
free (tmp_val);
free (str_case);
goto alloc_fail;
return NULL;
}
tmp_val = r_str_replace_icase (tmp_val, key, str_case, 0, 0);
free (str_case);
if (!tmp_val) {
goto alloc_fail;
return NULL;
}
memcpy (p, tmp_val, vlen);
free (tmp_val);
@ -1065,9 +1063,6 @@ R_API R_MUSTUSE char *r_str_replace_icase(char *str, const char *key, const char
}
}
return str;
alloc_fail:
free (str);
return NULL;
}
/* replace the key in str with val.